Commit 383ea553 authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'log_dnssec_no_diff' into 'master'

Log dnssec no diff

See merge request !901
parents 23669071 efb47ae1
......@@ -31,7 +31,6 @@
#include "knot/conf/module.h"
#include "knot/conf/schema.h"
#include "knot/common/log.h"
#include "knot/updates/acl.h"
#include "libknot/errcode.h"
#include "libknot/yparser/yptrafo.h"
#include "contrib/string.h"
......@@ -424,39 +423,6 @@ int check_template(
int check_zone(
knotd_conf_check_args_t *args)
{
const knot_dname_t *zone = args->id;
// Check for dnssec_signing + zonefile_load whole + acl transfer.
conf_val_t dnssec = conf_zone_get_txn(args->extra->conf, args->extra->txn,
C_DNSSEC_SIGNING, zone);
conf_val_t zf_load = conf_zone_get_txn(args->extra->conf, args->extra->txn,
C_ZONEFILE_LOAD, zone);
if (conf_bool(&dnssec) && conf_opt(&zf_load) == ZONEFILE_LOAD_WHOLE) {
conf_val_t acl = conf_zone_get_txn(args->extra->conf, args->extra->txn,
C_ACL, zone);
bool stop = false;
while (acl.code == KNOT_EOK && !stop) {
conf_val_t action = conf_id_get_txn(args->extra->conf,
args->extra->txn,
C_ACL, C_ACTION, &acl);
while (action.code == KNOT_EOK) {
if (conf_opt(&action) != ACL_ACTION_TRANSFER) {
conf_val_next(&action);
continue;
}
CONF_LOG_ZONE(LOG_NOTICE, zone,
"zone file change with DNSSEC signing can "
"result in malformed outgoing IXFR, consider "
"zone.zonefile-load setting");
stop = true;
break;
}
conf_val_next(&acl);
}
}
return KNOT_EOK;
}
......
......@@ -27,12 +27,30 @@
#include "knot/zone/zone-load.h"
#include "knot/zone/zone.h"
#include "knot/zone/zonefile.h"
#include "knot/updates/acl.h"
static bool dontcare_load_error(conf_t *conf, const zone_t *zone)
{
return (zone->contents == NULL && zone_load_can_bootstrap(conf, zone->name));
}
static bool allowed_xfr(conf_t *conf, const zone_t *zone)
{
conf_val_t acl = conf_zone_get(conf, C_ACL, zone->name);
while (acl.code == KNOT_EOK) {
conf_val_t action = conf_id_get(conf, C_ACL, C_ACTION, &acl);
while (action.code == KNOT_EOK) {
if (conf_opt(&action) == ACL_ACTION_TRANSFER) {
return true;
}
conf_val_next(&action);
}
conf_val_next(&acl);
}
return false;
}
int event_load(conf_t *conf, zone_t *zone)
{
zone_contents_t *journal_conts = NULL, *zf_conts = NULL;
......@@ -107,7 +125,7 @@ int event_load(conf_t *conf, zone_t *zone)
}
val = conf_zone_get(conf, C_DNSSEC_SIGNING, zone->name);
bool dnssec_enable = conf_bool(&val);
bool dnssec_enable = conf_bool(&val), zu_from_zf_conts = false;
zone_update_t up = { 0 };
// Create zone_update structure according to current state.
......@@ -119,7 +137,9 @@ int event_load(conf_t *conf, zone_t *zone)
} else if (zf_from == ZONEFILE_LOAD_WHOLE) {
// throw old zone contents and load new from ZF
ret = zone_update_from_contents(&up, zone, zf_conts,
(load_from == JOURNAL_CONTENT_NONE ? UPDATE_FULL : UPDATE_INCREMENTAL));
(load_from == JOURNAL_CONTENT_NONE ?
UPDATE_FULL : UPDATE_INCREMENTAL));
zu_from_zf_conts = true;
} else {
// compute ZF diff and if success, apply it
ret = zone_update_from_differences(&up, zone, zone->contents, zf_conts, UPDATE_INCREMENTAL);
......@@ -133,7 +153,8 @@ int event_load(conf_t *conf, zone_t *zone)
// load zone-in-journal, compute ZF diff and if success, apply it
ret = zone_update_from_differences(&up, zone, journal_conts, zf_conts, UPDATE_INCREMENTAL);
if (ret == KNOT_ESEMCHECK || ret == KNOT_ERANGE) {
log_zone_warning(zone->name, "zone file changed with SOA serial %s, "
log_zone_warning(zone->name,
"zone file changed with SOA serial %s, "
"ignoring zone file and loading from journal",
(ret == KNOT_ESEMCHECK ? "unupdated" : "decreased"));
zone_contents_deep_free(zf_conts);
......@@ -151,6 +172,9 @@ int event_load(conf_t *conf, zone_t *zone)
ret = zone_update_from_contents(&up, zone, zf_conts,
(load_from == JOURNAL_CONTENT_NONE ?
UPDATE_FULL : UPDATE_INCREMENTAL));
if (zf_from == ZONEFILE_LOAD_WHOLE) {
zu_from_zf_conts = true;
}
}
}
}
......@@ -185,6 +209,11 @@ int event_load(conf_t *conf, zone_t *zone)
zone_update_clear(&up);
goto cleanup;
}
if (zu_from_zf_conts && (up.flags & UPDATE_INCREMENTAL) && allowed_xfr(conf, zone)) {
log_zone_warning(zone->name,
"with automatic DNSSEC signing and outgoing transfers enabled, "
"'zonefile-load: difference' should be set to avoid malformed IXFR");
}
}
// Commit zone_update back to zone (including journal update, rcu,...).
......
......@@ -938,15 +938,10 @@ static const yp_item_t desc_remote[] = {
{ NULL }
};
static const knot_lookup_t zonefile_load[] = {
{ 0, NULL }
};
#define ZONE_ITEMS \
{ C_FILE, YP_TSTR, YP_VNONE }, \
{ C_MASTER, YP_TREF, YP_VREF = { C_RMT }, YP_FMULTI, { check_ref } }, \
{ C_DNSSEC_SIGNING, YP_TBOOL, YP_VNONE }, \
{ C_ZONEFILE_LOAD, YP_TOPT, YP_VOPT = { zonefile_load, ZONEFILE_LOAD_WHOLE } }, \
{ C_COMMENT, YP_TSTR, YP_VNONE },
static const yp_item_t desc_template[] = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment